Reputation: 21914
How does XSS Work - Especially when we have cross domain security?
I read How does XSS work? but I still don't get this point .
Scenario :
- I run mybank.com site and an end user logs in to the site .
- Someone "injects" malicious code by submitting a GET that gets printed or echoed back .
- As far as I know your requests always goes to mybank.com because of cross domain request's disallowed by default .
- So how do I actually manage to sent contents to mysite.com assuming mysite is a malicious user's site who wants to exploit mybank.com's XSS vulnerabilities ?
If I can't change point 3 , then probably there is no way I could do 4 . But if 4 can be done is it done by changing window.location.href or document.location i.e breaking assumption 3 ? Now it behaves like it is mysite.com ?
Or is there any other way you could hijack site without 4 ?
Upvotes: 0
Views: 154
Answers (2)
Reputation: 2609
GET requests are simple requests you can make just by loading a URL. Suppose the vulnerable page allows you to send a money order to someone using a pure GET request like this:
http://bank.com/sendmoney?user=attacker&amount=everything
Just by navigating to the URL means you want to send all of your money to the attacker (lol)... Suppose the only security is that you must be logged into bank.com
Now suppose you visit this attacker's website while logged into bank.com and he has an img element with the src attribute set to that URL. Just by visiting the page you've sent all of your money to the attacker. That's it in a nutshell.
Usually XSS means you are able to actually inject code directly onto the page because of the logic used on the server-side echo's the contents of a GET-request variable directly onto the page without sanitizing the input. Hopefully this helps you understand a little better.
Upvotes: 1
Reputation: 207511
Once the code gets injected, there is no "security", the browser thinks that all the code that is running on the site belongs there.
Think about what you can do in your own web pages when you code. You can have JavaScript click on buttons, submit forms, click links, etc. You can have the code inject elements, more code, remove things, etc.
So imagine what a developer can do to an email app or a bank account. They could send emails or transfer money. Just need to fire the right steps.
Now how can they transfer information out? As simple as making a GET or POST request. They set up an end point somewhere and make a request to it. The end point logs the data. Requests can be made with AJAX, images, form submissions, loading up ifrmaes, etc.
Cross Domain requests are allowed if the other domain you want to talk to allows it.
Upvotes: 2
Related Questions
- What is Cross Site Script Inclusion (XSSI)?
- What is cross site scripting?
- Cross site scripting attacks and same origin policy
- Cross site scripting (XSS) possible?
- Why the cross-domain Ajax is a security concern?
- Issue regarding the XSS (Cross Site Scripting) attack
- Cross-site scripting and ASP.NET
- understanding JavaScript security model
- How to avoid "Cross-Site Script Attacks"
- Javascript security / cross scripting on same server